Whether the economy is up or down — good or bad — there are some key characteristics that can help you stand out as an information security leader so you can help keep your business on track and your career moving forward. Finding your way while benefitting others really comes down to three things: 1) understanding the value of your role in information security; 2) communicating this value in the right way to the right people; and 3) staying visible.
When you think about what it is that we do in information security, the opportunities to stand out and climb the proverbial ladder become obvious. IT and information security administrators, managers and C-level executives are not just in charge of the firewall, keeping patches up to date and maintaining some semblance of business continuity. The real reason why we exist goes back to the essence of IT. At its core, IT is not just a service but rather an enabler of the business. Likewise, information security is an enabler for IT. The controls and processes associated with information security help keep the riff-raff out of our business information systems and help ensure that the technologies we have invested so heavily in are able to function as they were intended.
Furthermore, information security knows no boundaries. I have yet to come across a single function of any business that is not somehow tied in with information security. Information security enables all facets of the business to leverage technology and build loyalty with existing customers and gain the trust — and subsequent business — of new customers. It is really that simple.
As an information security professional, you are a valid and legitimate manager with important responsibilities. But how do you make this known to other people? Well first off, since information security touches every aspect of the business, it is important to understand that you have to deal with lots of different people. From the CEO, to marketing, to product management, to HR and legal, you have to get key players in the business on your side. It is your job as an information security professional to get the right people to buy into what you are doing and proposing. This means you have to communicate well — both verbally and in writing.
Rather than hearing about your years of experience, your degrees or your certifications, people just want you to educate them and motivate them in a down-to-earth fashion. Be it in a one-on-one conversation, a board presentation or a formal audit report, just laying out the facts in common-sense way using their language and on their terms will do wonders. Pushing your information security initiatives with a me vs. them approach using techno-jargon combined with fear, uncertainty and doubt is a sure-fire way to lose the trust and respect of the people who count. You will isolate yourself and end up hurting the information security function more than you help it.
A great way to communicate the value of information security and your contribution to the business is to figure out how you can break the cycle of ignorance that practically every organization faces. When you hear others say “We are compliant” or, “We do not have anything the bad guys would want” or, “We have a policy against that,” think about how you can educate them. For instance, you can share with them the limited value of being “compliant” based on a checklist audit rather than performing an in-depth information risk assessment. You could share with your colleagues the results of your recent vulnerability assessment and show them just what can happen when something goes awry. You can highlight the areas the business is strong and weak when it comes to security policies and policy enforcement.
One of the best things you can do to maintain your forward momentum is to continually keep information security on the top of everyone’s mind in a laid back, yet self-assured way that is not too aggressive. Share your experiences — both good and bad — so people can see how the investment information security is paying off. This could be a story of something that happened to you and your team or it could be something related to a competitor in your industry.
An important thing to keep in mind is that people pay more attention to how something is being said rather than what is actually being said. Speaking of that, of all the barriers to holding back both yourself and the information security cause, there is none more detrimental than the lack of being able to think long term and not see how any personal and political agendas will only serve to hurt more than they will help. In my work as a consultant, I see the scenario over and over again where the people in charge of security pound their chests demanding everyone listen to their security mandates and what they have accomplished. It often creates short-term gratification for these people that is good for their egos, but it definitely hurts the long-term cause. I’m all for thinking independently and being able to assess risk in the context of your own environment. Just make sure you think things through before you speak. Two steps forward with security is no good if you end up letting your words place you three steps back.
In the end, this is all about trust. And trust is as much about competence as it is about character and integrity. By showing your colleagues and your subordinates that you know what you are doing and are not just a talking head with no practical sense will build trust and help get others on your side. Most of us find out the hard way that information security success is not just offered up and ready for the taking. It has to be earned. This reminds me of what Jim Rohn once said: “Success is not to be pursued; it is to be attracted by the person you become.” So focus on yourself and continually improve. It is a formula that will no doubt lead you to where you want to go.
Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments. He has authored/co-authored seven books on information security including “Hacking for Dummies,” “Hacking Wireless Networks for Dummies,” and “Securing the Mobile Enterprise and Laptop Encryption for Dummies” (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.